search

Active-CSS / active-css

The epic event-driven browser language for UI with functionality in one-liner CSS. Over 100 incredible CSS commands for DOM manipulation, ajax, reactive variables, single-page application routing, and lots more. Could CSS be the JavaScript framework of the future?
https://activecss.org
Other
42 stars 7 forks source link

Disallow dynamic DevTools insertion/changes of ACSS tags on production core #119

Closed bob2517 closed 3 years ago

bob2517 commented 3 years ago

Disallowing dynamic DevTools insertion of ACSS is a security measure to mitigate the risk of setting up things like custom commands that do stuff, getting access to variables, etc., so remove this from the production version.

It doesn't matter on the sites where there isn't any sensitive data, and the dev version could be put live on things like the docs website for demonstration purposes of the extension which is coming back this year. But if sensitive data ever does need to be collected or whatever, just ensure that that is happening on fresh pages that use the production version of the core.

Sites that use local storage or session storage should not be using the dev core live if they want to keep their data secure.

bob2517 commented 3 years ago

Done offline. It's a good job the DevTools interception had it's own specific intercept code otherwise ajax loaded inline acss style tags would have broken. Will commit once the "run" command issue with scoping variables is complete. Sorting that issue out suddenly made this security hole visible so I thought I'd better plug it while my attention was on it.

bob2517 commented 3 years ago

There's inherently a small performance improvement on the production core because of this fix too, which is nice.

bob2517 commented 3 years ago

On branch. Closing.